System and method for identifying exploitable weak points in a network
First Claim
1. A system for predicting attack paths in a network, comprising:
- one or more scanners configured to determine one or more network addresses and one or more open ports associated with one or more connections in the network; and
one or more hardware processors coupled to the one or more scanners, wherein the one or more hardware processors are configured to;
identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections;
model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host;
simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and
determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.
3 Assignments
0 Petitions
Accused Products
Abstract
The system and method described herein may leverage passive and active vulnerability discovery to identify network addresses and open ports associated with connections that one or more passive scanners observed in a network and current connections that one or more active scanners enumerated in the network. The observed and enumerated current connections may be used to model trust relationships and identify exploitable weak points in the network, wherein the exploitable weak points may include hosts that have exploitable services, exploitable client software, and/or exploitable trust relationships. Furthermore, an attack that uses the modeled trust relationships to target the exploitable weak points on a selected host in the network may be simulated to enumerate remote network addresses that could compromise the network and determine an exploitation path that the enumerated remote network addresses could use to compromise the network.
-
Citations
35 Claims
-
1. A system for predicting attack paths in a network, comprising:
-
one or more scanners configured to determine one or more network addresses and one or more open ports associated with one or more connections in the network; and one or more hardware processors coupled to the one or more scanners, wherein the one or more hardware processors are configured to; identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections; model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host; simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method for predicting attack paths in a network, comprising:
-
configuring one or more scanners to determine one or more network addresses and one or more open ports associated with one or more connections in the network; identifying, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections; modeling one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host; simulating an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and determining that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
-
-
35. A computer-readable storage device having computer-executable instructions stored thereon for predicting attack paths in a network, wherein the computer-executable instructions are configured to cause one or more processors to:
-
configure one or more scanners to determine one or more network addresses and one or more open ports associated with one or more connections in the network; identify, in the network, at least one host that has an exploitable vulnerability based on the one or more network addresses and the one or more open ports associated with the one or more network connections; model one or more trust relationships accepted at the at least one host based on the one or more network addresses and the one or more open ports associated with the one or more network connections, wherein the one or more trust relationships accepted at the at least one host provide an available access control path to the exploitable vulnerability on the at least one host; simulate an attack against the at least one host, the simulated attack used to determine one or more network addresses that could use the one or more trust relationships accepted at the at least one host to reach the exploitable vulnerability on the at least one host; and determine that the one or more network addresses could be used to compromise the at least one host based at least in part on the one or more network addresses corresponding to one or more remote clients that have one or more exploitable weak points.
-
Specification